Ouroboros malware launched from space

Shares

Russian-speaking hackers have been using commercial satellites to mask malware attacks on western military and governmental networks in an escalation that has high-level security staff worried.

A report from Kaspersky Lab claims that the group behind the Ouroboros malware (also known as Snake or Turla) has been using commercial satellites to access hidden receiving stations in Africa and the Middle East

Satellites have been a favored front for cyber attacks on military and governmental networks in the West because they mask the location of the command and control servers that hackers use to issue instructions to malware on infected systems.

It exploits the fact that most communications being sent downstream from satellites to Earth are unencrypted and therefore vulnerable to spoofing. Even though there are a number of further steps involved, the escalation of this method has members of the security community concerned.

"We in security are always accused of spreading FUD, but this is the reality of the connected world we live in." said TK Keanini, CTO at Lancope, a company specialising in flow analytics for security and network performance monitoring. "These are talented well-funded threat actors whose job it is to not make the news; so when one does, consider them the sloppy ones."

It's also incredibly hard to trace this kind of attack as the trail often dies quickly and trying to stop it completely is also proving incredibly tricky.

Only one way to stop it

"Using a cloned modem makes it harder for ISPs to block the traffic since it would impact legitimate users," added Ian Pratt, CEO and co-founder, Bromium, an endpoint protection and security firm. "The miscreants can simply switch to cloning a different legitimate user's device."

"Strong authentication of access modems using a key unique to each device is the only way to block this kind of attack, but can only realistically be done for new deployments," he said.

With governmental organisations, embassies and firms in Russia, China and a dozen other countries targeted plus research groups and medical firms, the security community is right to be worried about this method of spreading malware.